NayaPapa11
Contributor
Contributor

BDE 2.2 cannot enable SSO when VMCA as subordinate Certificate Authority

Hello all,

I'm trying to install BDE2.2  in a lab environment and I'm running into a error when i tried to enable sso.  "Cannot reach SSO Lookup Service. Verify that the URL is correct and the service is running."

vCenter and hosts are 6.0 with last patch.

i have one PSC appliance working as subordinate CA, the root CA is self-signed CA running on windows server 2012r2.

vcenter is also an appliance, and its certificate looks good.

BDE 2.2 vApp installed OK.

vCenter plug-in installed OK.

Lookup service URL I used https://myPSC:443/lookupservice/sdk

I checked log for enable sso: (/opt/serengeti/ssotool/installer.log)

[2015-08-04 16:43:40,634 main  DEBUG com.vmware.vim.install.cli.RegTool] $Id: //depot/vicore/vicore-2013/regtool/viregtool/src/main/java/com/vmware/vim/install/cli/RegTool.java#4 $

[2015-08-04 16:43:40,636 main  DEBUG com.vmware.vim.install.cli.RegTool] Executing command: storeSsoData -d https://psc01.lab.local:443/lookupservice/sdk -f /opt/serengeti/ssotool/ssoData

[2015-08-04 16:43:40,671 main  INFO  com.vmware.vim.install.impl.RegistrationProviderImpl] Intializing registration provider...

[2015-08-04 16:43:41,270 main  DEBUG com.vmware.vim.install.impl.LookupServiceAccess] Creating VMODL client for LookupService

[2015-08-04 16:43:41,274 main  INFO  com.vmware.vim.install.impl.CertificateGetter] Getting SSL certificates for https://psc01.lab.local:443/lookupservice/sdk

[2015-08-04 16:43:41,654 main  DEBUG com.vmware.vim.install.impl.CertificateGetter] Establishing socket connection to psc01.lab.local/192.168.102.2:443. Timeout is 60000

[2015-08-04 16:43:42,475 main  DEBUG com.vmware.vim.install.impl.AdminServiceAccess] Creating client for SSO Admin on address: https://psc01.lab.local/sso-adminserver/sdk/vsphere.local

[2015-08-04 16:43:42,906 main  ERROR com.vmware.vim.install.impl.AdminServiceAccess] com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified


I ssh to BDE2.2 management server, run:

     openssl s_client -connect psc01.lab.local:443 -tls1

I got:

          depth=1 C = US, DC = vsphere, DC = local, O = psc01.lab.local, CN = CA

          verify error:num=20:unable to get local issuer certificate

          verify return:0

        

        

CONNECTED(00000003)
---
Certificate chain
0 s:/CN=lab/C=CA/ST=QC/L=XX/O=XX/OU=Lab
   i:/C=US/DC=vsphere/DC=local/O=psc01.lab.local/CN=CA
1 s:/C=US/DC=vsphere/DC=local/O=psc01.lab.local/CN=CA
   i:/DC=local/DC=lab/CN=lab-DC-CA

so just like server certificate chain not verified, looks like BDE management appliance can not found my root CA certificate. now, i have my root CA certificate. my questions are:

1, where should i put this certificate? because i copy it to a folder, run "openssl s_client -connect psc01.lab.local:443 -CAfile /opt/chef-server/embedded/ssl/certs/rootca.crt -tls1" without error, but when i run "EnableSSOAuth" i still got same error.

2, can i replace BDE self-signed certificate with generate a csr and how can i do it?

thanks

0 Kudos
3 Replies
selinacui
Contributor
Contributor

It's a VC certificate issue. You can follow this KB to fix it.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=212168...

Thanks,

Selina

0 Kudos
Mohamedelsadek
Contributor
Contributor

Check DNS in Serengeti Server

check to ping vcenter server using fully qualified name FQN

0 Kudos
cmbwml1
Enthusiast
Enthusiast

I'm also looking for info on how to update BDE certificate.  Connection to appliance in vcenter web client extension keeps disconnecting with certificate error. 

0 Kudos